summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2005-10-27 12:26:28 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:45:20 -0500
commit13b0da09eed7e786644d92c05ddd62697337aaf0 (patch)
tree02c3af6f3f887aa32f1cb8571f3b5bfaa05a49c4
parente408e14154e99e46417e8734a1ea9078bf2db4cd (diff)
downloadsamba-13b0da09eed7e786644d92c05ddd62697337aaf0.tar.gz
samba-13b0da09eed7e786644d92c05ddd62697337aaf0.tar.xz
samba-13b0da09eed7e786644d92c05ddd62697337aaf0.zip
r11325: Fix up some kerberos notes.
Andrew Bartlett (This used to be commit 89623af30f25150da42a17f825e202b2ae9f7898)
-rw-r--r--source4/auth/kerberos/kerberos-notes.txt29
1 files changed, 14 insertions, 15 deletions
diff --git a/source4/auth/kerberos/kerberos-notes.txt b/source4/auth/kerberos/kerberos-notes.txt
index 83fb886c45..c9a4d2bfe6 100644
--- a/source4/auth/kerberos/kerberos-notes.txt
+++ b/source4/auth/kerberos/kerberos-notes.txt
@@ -236,10 +236,13 @@ the kerberos libraries
- gsskrb5_acquire_creds() (takes keytab and/or ccache as input
parameters, see keytab and state machine discussion)
+ - gss_krb5_copy_service_keyblock() (get the key used to actually
+ encrypt the ticket to the server, because the same key is used for
+ the PAC validation).
- gsskrb5_extract_authtime_from_sec_context (get authtime from
kerberos ticket)
- gsskrb5_extract_authz_data_from_sec_context (get authdata from
- ticket, ie the PAC)
+ ticket, ie the PAC. Must unwrap the data if in an AD-IFRELEVENT)
- gsskrb5_wrap_size (find out how big the wrapped packet will be,
given input length).
@@ -282,17 +285,9 @@ cifs/foo@realm (winxp clients, using netbios)
as well as all case variations on the above.
-Because that all got 'too hard' to put into a keytab (and because we
-still wanted to supply a keytab to the GSSAPI code), a 'wildcard'
-keytab was devised. MEMORY_WILDCARD: is much like MEMORY:, except it
-only matches on kvno, rather than on the principal name.
-
-Another way of handling this amy be to declare "" as a wildcard name,
-or perhaps allow principal names to be fnmatch() or regex expressions.
-
-Hmm, looking over the code again, I'm really not sure we need this...
-We should be able to just specify the same principal as a desired name
-(GSSAPI) and principal (keytab).
+Because that all got 'too hard' to put into a real keytab (and because we
+still wanted to supply a keytab to the GSSAPI code), we use in-memory
+keytabs, and specify the target name.
Extra Heimdal functions used
----------------------------
@@ -357,6 +352,10 @@ consistancy in the handling of requests, binding to sockets etc.
To handle TCP, we will use of our socket layer in much the same way as
we deal with TCP for CIFS. Tridge has promised this generalisation.
+For the client, we likewise must take over the socket functions, so
+that our single thread smbd will not lock up talking to itself. (We
+allow processing while waiting for packets in our socket routines).
+
Kerberos logging support
------------------------
@@ -414,7 +413,7 @@ accounts, and perform other controls.
Kpasswd server
--------------
-I have a partial kpasswd server which needs finishing, and a client
-testsuite written, either via the krb5 API or directly against GENSEC
-and the ASN.1 routines.
+I have a partial kpasswd server which needs finishing, and a we need a
+client testsuite written, either via the krb5 API or directly against
+GENSEC and the ASN.1 routines.